5th June 2021
I had already written about setting up an Odroid as IP router: Using Odroid as IP router.
Today I powered down my second Odroid, which I had previously used as WLAN router. There was nothing wrong with the Odroid. It just drew 7W and the NUC was already running next to the Odroid. So there was no real reason for another machine. What is described here applies to any PC, it is not specific to an Intel NUC.
Here are the steps for the setup on Arch Linux.
1. Installing required WLAN driver. I had to install
rtl8812au-dkms-git from AUR.
2. Set IP addresses. The WLAN card has to be set to a fixed IP address. I use systemd network for this. The first two files set the good old network names based on the MAC.
/etc/systemd/network: cat 00-eth0.link [Match] MACAddress=c0:3f:d5:61:e7:25 [Link] Name=eth0 /etc/systemd/network: cat 00-wg0.link [Match] MACAddress=24:05:0f:f6:f7:2d [Link] Name=wg0
Now we set the actual IP addresses.
/etc/systemd/network: cat eth0.network [Match] Name=eth0 [Network] Address=192.168.178.24/24 Gateway=192.168.178.1 DNS=192.168.178.1 18.104.22.168 22.214.171.124 /etc/systemd/network: cat wg0.network [Match] Name=wg0 [Network] #DHCP=yes Address=192.168.4.1/24 Gateway=192.168.178.1 DNS=192.168.178.1
3. Installing dnsmasq. Install dnsmasq. The dnsmasq configuration is as follows:
dhcp-range=192.168.4.51,192.168.4.99,255.255.255.0,12h dhcp-host=e8:d8:d1:02:7c:5e,hp3830,192.168.4.16,12h dhcp-host=94:65:2d:7a:c6:36,five,192.168.4.118,12h dhcp-host=8c:83:e1:1c:25:d2,samsung,192.168.4.119,12h dhcp-host=52:d4:94:59:d6:ce,tablet,192.168.4.120,12h address=/ads.t-online.de/127.0.0.1 address=/adtech.de/127.0.0.1 address=/doubleclick.net/127.0.0.1 address=/adclick.g.doubleclick.net/127.0.0.1
It sets the IP range, fixes IP address for some devices so that these special devices get fixed IP addresses, maps some annoying web-site to localhost.
4. Checking forwarding. A router must be able to forward IP packets from one netword to another. You must have
net.ipv4.ip_forward set via
/etc/sysctl.d: cat 10-network.conf # Enable IP forwarding net.ipv4.ip_forward=1
4. Install access point. Install hostapd. Configuration is as below:
# Taken from https://wiki.archlinux.org/index.php/Software_access_point # klm, 26-Aug-2018 interface=wg0 #bridge=br0 # SSID to be used in IEEE 802.11 management frames ssid=<Your ESSID> # Driver interface type (hostap/wired/none/nl80211/bsd) driver=nl80211 # Country code (ISO/IEC 3166-1) country_code=de # Enable IEEE 802.11d. This advertises the country_code and the set of allowed # channels and transmit power levels based on the regulatory limits. The # country_code setting must be configured with the correct country for # IEEE 802.11d functions. # (default: 0 = disabled) ieee80211d=1 # Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), # g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used # with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this # needs to be set to hw_mode=a. When using ACS (see channel parameter), a # special value "any" can be used to indicate that any support band can be used. # This special case is currently supported only with drivers with which # offloaded ACS is used. # Default: IEEE 802.11b hw_mode=g #new: hw_mode=a # Channel number channel=13 #new: channel=48 # Maximum number of stations allowed max_num_sta=15 # Bit field: bit0 = WPA, bit1 = WPA2 wpa=2 # Bit field: 1=wpa, 2=wep, 3=both auth_algs=1 # Set of accepted cipher suites wpa_pairwise=CCMP rsn_pairwise=CCMP # Set of accepted key management algorithms #wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 wpa_key_mgmt=WPA-PSK wpa_passphrase=<Your WLAN password> # hostapd event logger configuration logger_stdout=-1 logger_stdout_level=2 # ieee80211n: Whether IEEE 802.11n (HT) is enabled # 0 = disabled (default) # 1 = enabled # Note: You will also need to enable WMM for full HT functionality. # Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. ieee80211d=1 # Advertise allowed channels and power ieee80211n=1 ieee80211ac=1
Enable hostapd service via
systemctl enable hostapd systemctl start hostapd
Checking WiFi can be done like so:
$ iwlist wg0 scan wg0 Scan completed : Cell 01 - Address: 34:31:C4:64:E5:91 ESSID:"Turk Telekom" Protocol:IEEE 802.11bgn Mode:Master Frequency:2.412 GHz (Channel 1) Encryption key:on Bit Rates:144 Mb/s Extra:rsn_ie=30140100000fac040100000fac040100000fac020000 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : CCMP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK IE: Unknown: DD6F0050F204104A0001101044000102103B000103104700102C5A66C569964D595C0E3431C464E5911021000341564D1023000446 426F78102400043030303010420004303030301054000800060050F20400011011000446426F78100800020280103C0001031049000600372A000120 Quality=84/100 Signal level=10/100 Extra:fm=0003 Cell 02 - Address: 94:4A:0C:7E:1D:CB ESSID:"WLAN-296708" Protocol:IEEE 802.11bgn Mode:Master Frequency:2.412 GHz (Channel 1) Encryption key:on Bit Rates:144 Mb/s Extra:rsn_ie=30140100000fac040100000fac040100000fac020c00 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : CCMP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK IE: Unknown: DD800050F204104A0001101044000102103B000103104700102A5E35610C22E96D12CB27C8D718E0611021000842726F6164636F6D 1023000842726F6164636F6D1024000631323334353610420004313233341054000800060050F20400011011000A42726F6164636F6D4150100800020106103C00010110490 00600372A000120 Quality=100/100 Signal level=8/100 Extra:fm=0003 . . .
5. Activate NAT/Masquerading. Up to this point your smartphones and tablets can communicate with all other PCs in your network. But they cannot make any connections to the "real" internet. To activate this you must have iptables installed. Configuration of iptables in
/etc/iptables/iptables.conf is thus:
*nat -A POSTROUTING -o eth0 -j MASQUERADE COMMIT
Very likely you want to single out some wireless devices which you want to connect to. Therefore you would add to the above nat table:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.4.118:2223 -A PREROUTING -i eth0 -p tcp -m tcp --dport 2224 -j DNAT --to-destination 192.168.4.119:2224 -A PREROUTING -i eth0 -p tcp -m tcp --dport 2225 -j DNAT --to-destination 192.168.4.120:2225 -A PREROUTING -i eth0 -p tcp -m tcp --dport 2226 -j DNAT --to-destination 192.168.4.146:2226